Configure Analytics Hub roles

This document describes the Analytics Hub user roles and how to grant them to users. For more information, see Analytics Hub roles.

Analytics Hub user roles

The following sections describe the predefined Analytics Hub roles. You can assign these roles to users to perform various tasks on your data exchanges and listings.

Analytics Hub Admin role

To manage data exchanges, Analytics Hub provides the Analytics Hub Admin role (roles/analyticshub.admin) that you can grant for a project or data exchange. This role lets users perform the following tasks:

  • Create, update, and delete data exchanges.
  • Create, update, delete, and share listings.
  • Manage Analytics Hub administrators, listing administrators, publishers, subscribers, and viewers.

Users with this role are referred to as Administrators.

Analytics Hub Publisher and Listing Admin roles

To manage listings, Analytics Hub provides the following predefined roles that you can grant for a project, a data exchange, or a listing:

  • Analytics Hub Publisher role (roles/analyticshub.publisher), which lets users perform the following tasks:

    Users with this role are referred to as Publishers.

  • Analytics Hub Listing Admin role (roles/analyticshub.listingAdmin), which lets users perform the following tasks:

Analytics Hub Subscriber and Viewer roles

To view and subscribe to listings, Analytics Hub provides the following predefined roles that you can grant for a project, a data exchange, or a listing:

  • Analytics Hub Subscriber role (roles/analyticshub.subscriber), which lets users view and subscribe to listings.

    Users with this role are referred to as Subscribers.

  • Analytics Hub Viewer role (roles/analyticshub.viewer), which lets users view listings and data exchange's permissions.

    Users with this role are referred to as Viewers.

Grant Analytics Hub roles

Depending on your need, you can grant the Analytics Hub roles at the following levels of the resource hierarchy:

  • Project. If you grant users a role for a project, it's applied to all data exchanges and listings that the project contains.

  • Data exchange. If you grant users a role for a data exchange, then it's applied to all listings that the data exchange contains.

  • Listing. If you grant users a role for a listing, then it's applied to only that specific listing.

Grant the role for a project

If you want to set IAM policies on a project, you must have the roles/resourcemanager.projectIamAdmin role on that project. To grant the predefined Analytics Hub user roles for a project, follow these steps:

Console

  1. Go to IAM for the project.

    Go to IAM

  2. Click Add.

  3. In the New principals field, enter the email address of the identity you want to grant access to. For example:

    • Google Account email: test-user@gmail.com
    • Google group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com
  4. In the Role list, hold the pointer over Analytics Hub and select one of the following roles:

    • Analytics Hub Admin
    • Analytics Hub Publisher
    • Analytics Hub Listing Admin
    • Analytics Hub Subscriber
    • Analytics Hub Viewer
  5. Optional: To further control user's access to Google Cloud resources, add conditional role binding.

  6. Save your changes.

You can delete and update administrators for a project through the same IAM panel, explained in the preceding steps.

gcloud

To grant roles at a project level, use the gcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member='PRINCIPAL' \
    --role='roles/analyticshub.admin'

Replace the following:

  • PROJECT_ID: the project ID—for example, my-project-1
  • PRINCIPAL: a valid identity to which you want to grant the role

    For example:

    • Google Account email: user:user@gmail.com
    • Google group: group:admins@googlegroups.com
    • Service account: serviceAccount:server@example.gserviceaccount.com
    • Google Workspace domain: domain:example.com

API

  1. Read the existing policy with the resource's getIamPolicy method. For projects, use the projects.getIamPolicy method.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy
    

    Replace PROJECT_ID with the project ID—for example, my-project-1.

  2. To add principals and their associated roles, edit the policy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant the roles/analyticshub.admin role to group:admins@example.com, add the following binding to the policy:

    {
     "members": [
       "group:admins@example.com"
     ],
     "role":"roles/analyticshub.admin"
    }
    
  3. Write the updated policy by using the setIamPolicy method.

    For example, to set a policy at the project level, use the project.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy
    

    Replace the PROJECT_ID with the project ID.

Grant the role for a data exchange

To grant the role for a data exchange, follow these steps:

Console

  1. In the console, go to the Analytics Hub page.

    Go to Analytics Hub

  2. Click the data exchange name for which you want to set permissions.

  3. Click Set permissions.

  4. To add principals, click Add principal.

  5. In the New principals field, add the emails to which you want to grant access.

  6. For Select a role, hold the pointer over Analytics Hub, and then select one of the following Identity and Access Management (IAM) roles:

    • Analytics Hub Admin
    • Analytics Hub Publisher
    • Analytics Hub Listing Admin
    • Analytics Hub Subscriber
    • Analytics Hub Viewer
  7. Click Save.

API

  1. Read the existing policy with the listing getIamPolicy method by using the projects.locations.dataExchanges.getIamPolicy method:

    POST https://analyticshub.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/dataExchanges/DATAEXCHANGE_ID:getIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID—for example, my-project-1.
    • LOCATION: the location for your data exchange.
    • DATAEXCHANGE_ID: the data exchange ID.

    Analytics Hub returns the current policy.

  2. To add or remove members and their associated Identity and Access Management (IAM) roles, edit the policy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant the roles/analyticshub.subscriber role to group:subscribers@example.com, add the following binding to the policy:

    {
     "members": [
       "group:subscribers@example.com"
     ],
     "role":"roles/analyticshub.subscriber"
    }
    
  3. Write the updated policy by using the projects.locations.dataExchanges.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://analyticshub.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/dataExchanges/DATAEXCHANGE_ID:setIamPolicy
    

    In the body of the request, provide the listing details. If the request is successful, then the response body contains details of the listing.

You can delete and update roles for a data exchange through the same IAM panel, explained in the preceding steps.

Grant the role for a listing

To grant the role for a listing, follow these steps:

Console

  1. In the console, go to the Analytics Hub page.

    Go to Analytics Hub

  2. Click the data exchange name that contains the listing.

  3. Click the listing for which you want to add users.

  4. Click Set permissions.

  5. To add principals, click Add principal.

  6. In the New principals field, add the emails of the identity to which you want to grant access.

  7. For Select a role, hold the pointer over Analytics Hub and then select one of the following roles:

    • Analytics Hub Admin
    • Analytics Hub Publisher
    • Analytics Hub Listing Admin
    • Analytics Hub Subscriber
    • Analytics Hub Viewer
  8. Click Save.

API

  1. Read the existing policy with the listing getIamPolicy method by using the projects.locations.dataExchanges.listings.getIamPolicy method:

    POST https://analyticshub.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/dataExchanges/DATAEXCHANGE_ID/listings/LISTING_ID:getIamPolicy
    

    Replace the following:

    • PROJECT_ID: the project ID—for example, my-project-1.
    • LOCATION: the location of the data exchange that contains the listing.
    • DATAEXCHANGE_ID: the data exchange ID.
    • LISTING_ID: the listing ID.

    Analytics Hub returns the current policy.

  2. To add or remove members and their associated Identity and Access Management (IAM) roles, edit the policy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant the roles/analyticshub.publisher role to group:publishers@example.com, add the following binding to the policy:

    {
     "members": [
       "group:publishers@example.com"
     ],
     "role":"roles/analyticshub.publisher"
    }
    
  3. Write the updated policy by using the projects.locations.dataExchanges.listings.setIamPolicy method. In the body of the request, provide the updated IAM policy from the previous step.

    POST https://analyticshub.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/dataExchanges/DATAEXCHANGE_ID/listings/LISTING-ID:setIamPolicy
    

    In the body of the request, provide the listing details. If the request is successful, then the response body contains details of the listing.

You can delete and update roles for a listing through the same IAM panel, explained in the preceding steps.

What's next